Vpn tunnel dies on ip update



  • why is is that my vpn tunnels die when ever the ip address changes on one end of the tunnel?  yes, i am specifying my dyndns hostname on both ends of the tunnel in the ipsec configuration. restarting vpn on one end of the tunnel does not seem to resolve the issue. when this happens a reboot seems to fix it but rebooting the firewall every other week is not a viable solution.

    i'm running pfsense 1.2.3-RC1.

    thanks!



  • the problem looks to be that when side 1's ip address changes side 2 only updates the tunnel with the subnet of the LAN interface. i have several other tunnels with different subnets behind the pfsense box that never get updated. in fact, it keeps trying to connect to the old ip address on tunnels that are different than the LAN interface.



  • Found the issue, it's fixed. I ran into this as well. If you have multiple tunnels with dyndns that can break.



  • is that fixed in the latest snapshot then?

    thanks!



  • Note that when one end of the tunnel gets a new IP addresses the old policies will need to be purged before new ones can be established.

    That's normal. If I understood you correctly this was specific to a 2nd tunnel to the same host, correct?



  • @databeestje:

    Note that when one end of the tunnel gets a new IP addresses the old policies will need to be purged before new ones can be established.

    Hello,

    i started a new topic and, in my case, i noticed what you said…

    perhaps have you an idea for my problem ?

    http://forum.pfsense.org/index.php/topic,18490.0.html

    Sincerely,



  • If I understood you correctly this was specific to a 2nd tunnel to the same host, correct?

    yes, that sounds correct.  i have a normal site-to-site ipsec vpn with the pfsense boxes being the end points. then, on top of that i have several routers and subnets behind each end of the ipsec vpn firewalls. i've created a vpn tunnel for each additional subnet to permit traffic between the interfaces but these are the ones that never automatically get updated. an ipsec restart on the non-changed (ip addy) side get's things running smoothly again. being it's dhcp this happens every few weeks. which makes me think how nice static ip's are… but oh yeah, those cost more money.  ::)

    thanks.



  • No worries then, that specific issue is fixed in RC2 snapshots.


Log in to reply